Bug 836738

Summary: --log-prefix wrong after reboot
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: bugs.michael, jpopelka, psabata, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-30 16:53:12 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Harald Reindl 2012-06-30 14:34:53 EDT
what happens with log-rules after reboot on F17
see below! the same appears in dmesg if a rule is triggered

the second output is the correct one after call my iptables.sh script again

________________

/sbin/iptables --list --numeric --verbose | grep -i log

[root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep -i log
    0     0 LOG        udp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        tcp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        udp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        tcp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        tcp  --  !lo    *      !192.168.2.0/24       0.0.0.0/0            multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "--log-prefix"

________________


[root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep -i log
    0     0 LOG        udp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: "
    0     0 LOG        tcp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: "
    0     0 LOG        udp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: "
    0     0 LOG        tcp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: "
    0     0 LOG        tcp  --  !lo    *      !192.168.2.0/24       0.0.0.0/0            multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "Firewall Portscan: "
Comment 1 Harald Reindl 2012-06-30 14:36:28 EDT
well, and this was a mailing-list thread some time ago about this topic

-------- Original-Nachricht --------
Betreff: Re: F17: iptables logging "--log-prefix" in dmesg?
Datum: Sun, 24 Jun 2012 14:35:30 +0200
Von: Reindl Harald <h.reindl@thelounge.net>
Antwort an: Community support for Fedora users <users@lists.fedoraproject.org>
Organisation: the lounge interactive design
An: users@lists.fedoraproject.org



Am 24.06.2012 14:15, schrieb Michael Schwendt:
> On Sun, 24 Jun 2012 14:03:08 +0200, Reindl Harald wrote:
> 
>> what is this in dmesg?
>> why is "--log-prefix" here loggd instead the --log-prefix from whatever rule it was?
>>
>> --log-prefixIN=eth1 OUT= MAC=00:50:8d:b5:cc:de:00:01:5c:24:68:01:08:00 SRC=120.89.73.74 DST=84.113.45.179 LEN=60
>> TOS=0x00 PREC=0x00 TTL=51 ID=58168 DF PROTO=TCP SPT=39903 DPT=19 WINDOW=5840 RES=0x00 SYN URGP=0
>>
>> is this more likely a kernel-bug or rsyslog?
> 
> What does "iptables-save|grep log-prefix" tell?
> And is it reproducible after "iptables-save|iptables-restore"?

this VERY strange!
_____________________________

after a reboot without calling my firewall-script builing all iptables-rules
from scratch with iptables-commands

[root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep prefix
    0     0 LOG        udp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        tcp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        udp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    0     0 LOG        tcp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix"
    5   300 LOG        tcp  --  !lo    *      !192.168.2.0/24       0.0.0.0/0            multiport dports
19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix
"--log-prefix"
_____________________________

after calling my "iptables.sh" all is fine NOW

[root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep prefix
    0     0 LOG        udp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall
Rate-Control: "
    0     0 LOG        tcp  --  eth1   *      !91.118.73.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall
Rate-Control: "
    0     0 LOG        udp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall
Rate-Control: "
    0     0 LOG        tcp  --  eth0   *      !192.168.2.0/24       0.0.0.0/0            state NEW recent: UPDATE
seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall
Rate-Control: "
    0     0 LOG        tcp  --  !lo    *      !192.168.2.0/24       0.0.0.0/0            multiport dports
19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix
"Firewall Portscan: "
_____________________________

looks also like iptables-save works as expected

so i have not really a idea what is happening and at which point
it gets damaged - but since we are speaking about the firewall
i am a little bit nervous

[root@srv-rhsoft:~]$ iptables-save|grep log-prefix
-A INPUT ! -s 91.118.73.0/24 -i eth1 -p udp -m state --state NEW -m recent --update --seconds 2 --hitcount 70
--name udpflood --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7
-A INPUT ! -s 91.118.73.0/24 -i eth1 -p tcp -m state --state NEW -m recent --update --seconds 2 --hitcount 150
--name DEFAULT --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7
-A INPUT ! -s 192.168.2.0/24 -i eth0 -p udp -m state --state NEW -m recent --update --seconds 2 --hitcount 70
--name udpflood --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7
-A INPUT ! -s 192.168.2.0/24 -i eth0 -p tcp -m state --state NEW -m recent --update --seconds 2 --hitcount 150
--name DEFAULT --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7
-A INPUT ! -s 192.168.2.0/24 ! -i lo -p tcp -m multiport --dports
19,24,52,79,109,142,442,464,548,586,631,992,994,3305 -m limit --limit 10/hour -j LOG --log-prefix "Firewall
Portscan: " --log-level 7
_____________________________
Comment 2 Michael Schwendt 2012-06-30 16:53:12 EDT

*** This bug has been marked as a duplicate of bug 825796 ***